I have a post rest api in spring boot. I am sending the password string in json payload for this api. While deserializing using jackson, I am using the String field in Request Dto class. Since, it is not secure I would like to know if there is way to deserialize the password string in json to guarded string implementation.
Guarded String Url : https://docs.oracle.com/html/E28160_01/org/identityconnectors/common/security/GuardedString.html
Or is. there a way to deserialize the string json to char array using jackson annotations.
Related
I have a JSON string from response to REST API which I am trying to deserialize into an ObjectNode in Jackson like below.
String response = webservice(...);
ObjectNode jsonObj = new ObjectMapper().readTree(response);
In our static scan of the source code, it found vulnerability to JSON injection that this call could allow an attacker to inject arbitrary elements or attributes into the JSON entity.
How can I make sure to protect against JSON injection?
Project: Android app using REST web service
Using:
Client - Volley
Server API - Jersey
Converter: Gson
This is my first time asking a question here, and i will provide my way of "evading" this code convention. Since i am working on a project where POJO fields are already defined as upper-case (sadly, i cant change that), i had to find a way to fix JSON string and convert it to an instance of uppercase POJO.
So basicaly its: client POJO <--> json object converted to/from gson <--> server POJO
So, lets say that i have a field in Users.class
String USERNAME;
When Jersey sends an instance of via #Produces, it follows the convention of creating JSON and sends an object
{"username": "random_name"}
When it gets converted from JSON via gson.fromJSON, an instance of a client's POJO will get null value for that field (obviously because field is in lower-case in JSONObject).
This is how i managed it by using a method that parses JSONObject and puts each key as upper-case:
public static String fixJSONObject(JSONObject obj) {
String jsonString = obj.toString();
for(int i = 0; i<obj.names().length(); i++){
try{
obj.names().getString(i).toUpperCase());
jsonString=jsonString.replace(obj.names().getString(i),
obj.names().getString(i).toUpperCase());
} catch(JSONException e) {
e.printStackTrace();
}
}
return jsonString;
}
And luckily since gson.fromJSON() requires String (not a JSONObject) as a parameter besides Class, i managed to solve the problem this way.
So, my question would be: Is there any elegant way of making JSON ignore that code convention and create a JSON object with an exact field? In this case:
{"USERNAME": "random_name"}
Jersey uses JAXB internally to marshall beans to xml/json. So you can always use #XmlElement annotation and use name attribute to set the attribute name to be used for marshalling
#XmlElement(name="USERNAME")
String USERNAME;
Just use annotation com.google.gson.annotations.SerializedName
Add in class Users.java:
#SerializedName("username")
String USERNAME;
I'm using Jersey (2.5.1) for a RESTish API with JAXB to marshal JSON to/from POJOs. The client will be doing a POST with the following request:
{
"type":"myevent",
"data":{
"id":"123",
"count":2
}
}
I have an 'Event' class which holds a type string and a data payload.
#XmlRootElement
public class Event {
#XmlElement public String type;
#XmlElement public JSONObject data;
...
}
The 'data' payload is a JSON object, however I don't know what type, or what the 'schema' of the object is. All I know is it's JSON. Above I have the type as a JSONObject, but that's just an example, maybe this needs to be Object? Map? Something else?
I want to be able to get the 'data' payload and persist this as JSON somewhere else.
I thought about using a String for the data payload, but then any API client would need to encode this and I would need to decode it before passing it on.
Any suggestions?
I usually work with strings on the backend side and then
JSONObject json = new JSONObject(s);
would create a json obj from that s (you don't need to decode).
On the client side I believe you just need to escape the " with something like a replaceAll function applied on that string
I am trying to parse JSON data being sent from UI in my Controller using Spring build Jackson support and this is my code
final Map<String, CartDataHelper> entriesToUpdateMap = new ObjectMapper().readValue(entriesToUpdate, new TypeReference<Map<String, CartDataHelper>>()
my JSON string is
{"0":"{\"categoryCode\":\"shoes\",\"productCode\":\"300050253\",\"initialQty\":\"3\",\"leftoverQty\":\"0\",\"newQty\":\"3\"}",
"1":"{\"categoryCode\":\"shoes\",\"productCode\":\"300050254\",\"initialQty\":\"3\",\"leftoverQty\":\"0\",\"newQty\":\"3\"}"}
i checked the JSON format using some online services and it seems valid, while tryin gto parse JSON data i am getting following exception
org.codehaus.jackson.map.JsonMappingException: Can not instantiate value of type [simple type, class controllers.util.CartDataHelper] from JSON String; no single-String constructor/factory method
my CartDataHelper class contains simple properties for for productCode, categoryCode etc with a no argument constructor
As comments mentioned, your JSON contains Map<String,String> and NOT Map<String,CartDataHelper>: values are JSON Strings, not JSON Objects.
Ideally you would not try writing out objects as JSON Strings; and if so, things would work.
It seems that on the client side the json is sent as a string instead as an object. That way on the server side you are receiveing a string and not a CartDataHelper as you pretend.
Try sending JSON.parse(stringCartDataHelper). It worked for me with the same issue.
I do have a JSON String request which uses JAXB to convert to number instead of fields
"{\"1\":{\"3\":\"788888\",\"2\":\"12345\",\"0\":{\"0\":\"Login\",\"1\":\"xx\",\"2\":\"yy\",\"3\":\"\",\"4\":\"1\",\"5\":\"hhh\"}}}"
And the response which we get is also in the above format
Is there any way to convert JSON String Response to Object where the object instance should be field values instead of numbers(keys)?
Note:-I had annotated(JAXB) fields in Request/Response class?